Technical Tip: Use URL-list or Wildcard in Server URL

Adryan_you · ‎12-03-2023

Description

This article describes how to configure Server URL-list or Wildcard in FortiProxy to bypass DNS Lookup in web forwarding proxy setup.

Scope

FortiProxy.

Solution

By default, in explicit proxy-chain setup, FortiProxy as child-proxy will perform DNS lookup for the intercepted client HTTP requests. Server URLs can be configured so that certain URLs (url-list) or all URLs (wildcard) bypass the DNS lookup in child-proxy.

The following example creates a URL list 'url-test-1', which will be used to bypass URLs 'example.com', 'red.com', and '*.fortinet.com' from DNS lookup in child-proxy. The URL list will be applied in the server URL setting.

config web-proxy url-list
edit "url-test-1"
config entries
edit 1
set url "example.com"
next
edit 2
set url "red.com"
next
edit 3
set url "*.fortinet.com"
set type wildcard
next
end
next
end

config web-proxy url-match
edit "SURL-01-URL-List"
set type list <--
set url-list "url-test-1" <--
set forward-server "Parent-Proxy-FPX"
next
end

WAD debug output shows that the DNS lookup does not occur when the user browses 'example.com', which matches the URL list:

dia wad debug enable category http
dia wad debug enable category policy
dia wad debug enable category dns
dia wad debug enable level verbose
dia wad filter src <computer_IP@>
dia de console time enable
dia de enable

[I]2023-12-03 20:49:03.550655 wad_dump_http_request :2736 hreq=0x7f99448fda80 Received request from client: 10.100.4.131:64127

GET http://example.com/ HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0

....

[V]2023-12-03 20:49:03.550690 wad_http_req_exec_act :13435 dst_addr_type=0 wc_nontp=1 sec_web=1 web_cache=0 req_bypass=0
[V]2023-12-03 20:49:03.550754 wad_url_match_find :167 order=1 hits=1 cache-x=0: 'SURL-01-URL-List' -> 'Parent-Proxy-FPX' <<==
[I]2023-12-03 20:49:03.551008 wad_http_req_policy_set :10268 match policy-id=2 <<====

The WAD debug log below shows DNS lookup occurs when the user tries to browse to 'bbc.com', which is not in the URL list.

Note:

If there is only one explicit proxy policy and the policy has web-forwarding enabled, user traffic is denied if the website is not in the URL list.

Example:

[I]2023-12-03 20:49:17.823592 wad_dump_http_request :2736 hreq=0x7f99448fd0b0 Received request from client: 10.100.4.131:64127

GET http://bbc.com/ HTTP/1.1
Host: bbc.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0

.....

[V]2023-12-03 20:49:17.823627 wad_http_req_exec_act :13435 dst_addr_type=0 wc_nontp=1 sec_web=1 web_cache=0 req_bypass=0
[V]2023-12-03 20:49:17.823635 wad_http_req_check_dns :75 hn=0x7f99446135e8 sn=(nil)
[I]2023-12-03 20:49:17.823639 wad_http_dns_resolve :7749 [0x7f99448fd0b0] DNS request name=bbc.com len=7 type/pref=0/0
[I]2023-12-03 20:49:17.911017 wad_http_dns_request_done :12390 [0x7f99448fd0b0] DNS resolved: 151.101.0.81
[V]2023-12-03 20:49:17.911112 wad_http_req_check_policy :11934 start match policy vd=0(ses_ctx:cx|Phx|Mde|Hhf|C|A7|Og) (10.110.1.46:44152@4->151.101.0.81:80@3) absUrl=1
[W]2023-12-03 20:49:17.911127 wad_fast_match_one :3686 No policy matched! <<=====
[I]2023-12-03 20:49:17.911134 wad_http_req_policy_set :10268 match policy-id=0
[E]2023-12-03 20:49:17.911538 wad_http_req_proc_policy :9943 POLICY DENIED <<=====

If it is wanted that all the URLs bypass DNS lookup in the child proxy, then configure the Server URL with wildcard type:

config web-proxy url-match
edit "SURL-02-Wildcard"
set type wildcard <--
set url-pattern "*" <--
set forward-server "Parent-Proxy-FPX"
next
end

The following debug log shows both 'example.com' and 'bbc.com' are forwarded to the parent proxy without DNS lookup:

[I]2023-12-03 21:20:58.220010 wad_dump_http_request :2736 hreq=0x7fb74abf1ab8 Received request from client: 10.100.4.131:64282

GET http://example.com/ HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
.....
.....

[V]2023-12-03 21:20:58.220022 wad_http_marker_uri :1305 scheme=http
[V]2023-12-03 21:20:58.220028 wad_http_marker_uri :1262 path=/ len=1
[I]2023-12-03 21:20:58.220074 wad_http_str_canonicalize :2188 enc=0 path=/ len=1 changes=0
[V]2023-12-03 21:20:58.220084 wad_http_normalize_uri :2335 host_len=11 path_len=1 query_len=0
[V]2023-12-03 21:20:58.220105 wad_http_req_exec_act :13435 dst_addr_type=0 wc_nontp=1 sec_web=1 web_c
ache=0 req_bypass=0
[V]2023-12-03 21:20:58.220186 wad_url_match_find :167 order=1 hits=18 cache-x=0: 'SURL-02-Wildcard' -> 'Parent-Proxy-FPX'
....
....
[I]2023-12-03 21:20:58.220511 wad_http_req_policy_set :10268 match policy-id=2(pol_ctx:xhf|Ad|7|=d) vd=0(ses_ctx:x|Phx|Mde|Hh|C|A7|O) (10.100.4.131:64282@4 -> 10.110.3.140:80@6)

[I]2023-12-03 21:21:01.290563 wad_dump_http_request :2736 hreq=0x7fb74abf2970 Received request from client: 10.100.4.131:64285
CONNECT bbc.com:443 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
.....
.....

[I]2023-12-03 21:21:01.290575 wad_http_str_canonicalize :2188 enc=0 path=/ len=1 changes=0
[I]2023-12-03 21:21:01.290586 wad_http_conn_req_classify :6031 no security profile HTTPS/HTTP, tport=443
[V]2023-12-03 21:21:01.290595 wad_url_match_find :167 order=1 hits=21 cache-x=0: 'SURL-02-Wildcard' -> 'Parent-Proxy-FPX'
.....
.....
[I]2023-12-03 21:21:01.290627 wad_http_req_policy_set :10268 match policy-id=2(pol_ctx:xhcf|Ad|7?|=d) vd=0(ses_ctx:x|Phx|Mde|Hh|C|A7|O) (10.100.4.131:64285@4 -> 10.110.3.140:443@6)
[I]2023-12-03 21:21:01.290641 wad_http_req_proc_policy :9923 ses_ctx:x|Phx|Mde|Hhf|C|A7|O conn_srv=0 fwd_srv=Parent-Proxy-FPX